In an Active Directory domain, a protocol called Kerberos is used to authenticate identities. When a user or computer logs on to the domain, Kerberos authenticates its credentials and issues a package of information called a ticket granting ticket (TGT). Before the user connects to a server to request the document, a Kerberos request is sent to a domain controller along with the TGT that identifies the authenticated user. The domain controller issues the user another package of information called a service ticket that identifies the authenticated user to the server. The user presents the service ticket to the server, which accepts the service ticket as proof that the user has been authenticated. These Kerberos transactions result in a single network logon. After the user or computer has initially logged on and has been granted a TGT, the user is authenticated within the entire domain and can be granted service tickets that identify the user to any service. All of this ticket activity is managed by the Kerberos clients and services built into Windows and is transparent to the user.

What is ADDS ?

Active Directory Domain Services (Identity) AD DS, is designed to
provide a central repository for identity management within an organization. AD DS provides authentication and authorization services in a network and supports object management through Group Policy.

Because of this, AD DS is often referred to as a network operating system directory service. AD DS is the primary Active Directory technology and should be deployed in every network that runs Windows Server 2008 operating systems.

AD LDS is really a subset of AD DS because both are based
on the same core code. The AD LDS directory stores and replicates only application related information. It is commonly used by applications that require a directory store but do not require the information to be replicated as widely as to all domain controllers.

AD LDS also enables you to deploy a custom schema to support an application without modifying the schema of AD DS. The AD LDS role is truly lightweight and supports multiple data stores on a single system, so each application can be deployed with its own
directory, schema, assigned Lightweight Directory Access Protocol (LDAP) and SSL ports, and application event log. AD LDS does not rely on AD DS, so it can be used in a standalone or workgroup environment. However, in domain environments, AD LDS can use AD DS for the authentication of Windows security principals (users, groups, and computers). AD LDS can also be used to provide authentication services in exposed networks
such as extranets. Once again, using AD LDS in this situation provides less risk than using AD DS.

Active Directory Certificate Services (Trust)

Organizations can use Active Directory Certificate Services (AD CS) to set up a certificate authority for issuing digital certificates as part of a public key infrastructure (PKI) that binds the identity of a person, device, or service to a corresponding private key.

Certificates can be used to authenticate users and computers, provide Web-based authentication, support smart card authentication, and support applications, including secure wireless networks, virtual private networks (VPNs), Internet Protocol security (IPSec), Encrypting File System (EFS), digital signatures, and more. AD CS provides an efficient and secure way to issue and manage certificates.

You can use AD CS to provide these services to external communities. If you do so, AD CS should be linked with an external, renowned CA that will prove to others you are who you say you are. AD CS is designed to create trust in an untrustworthy world; as such, it must rely on proven processes that certify that each person or computer that obtains a certificate has been thoroughly verified and approved.

In internal networks, AD CS can integrate with AD DS to provision users and computers automatically with certificates.

Active Directory Rights Management Services (Integrity)

Although a server running Windows can prevent or allow access to a document based on the document’s ACL, there have been few ways to control what happens to the document and its content after a user has opened it.

Active Directory Rights Management Services (AD RMS) is an information-protection technology that enables you to implement persistent usage policy templates that define allowed and unauthorized use whether online, offline, inside, or outside the firewall. For example, you could configure a template that allows
users to read a document but not to print or copy its contents. By doing so, you can ensure the integrity of the data you generate, protect intellectual property, and control who can do what with the documents your organization produces.

AD RMS requires an Active Directory domain with domain Controllers running Windows 2000 Server with Service Pack 3 (SP3) or later; IIS; a database server such as Microsoft SQL Server
2008; the AD RMS client that can be downloaded from the Microsoft Download Center and is included by default in Windows Vista and Windows Server 2008; and an RMS-enabled browser or application such as Microsoft Internet Explorer, Microsoft
Office, Microsoft Word, Microsoft Outlook, or Microsoft PowerPoint.

AD RMS can rely on AD CS to embed certificates within documents as well as in AD DS to manage access rights.

Active Directory Federation Services (Partnership

Active Directory Federation Services
(AD FS) enables an organization to extend IDA across multiple platforms, including
both Windows and non-Windows environments, and to project identity and access
rights across security boundaries to trusted partners. In a federated environment, each
organization maintains and manages its own identities, but each organization can also
securely project and accept identities from other organizations. Users are authenticated
in one network but can access resources in another—a process known as single sign-on
(SSO). AD FS supports partnerships because it allows different organizations to share
access to extranet applications while relying on their own internal AD DS structures to
provide the actual authentication process. To do so, AD FS extends your internal AD DS
structure to the external world through common Transmission Control Protocol/Internet
Protocol (TCP/IP) ports such as 80 (HTTP) and 443 (Secure HTTP, or HTTPS). It
normally resides in the perimeter network. AD FS can rely on AD CS to create trusted
servers and on AD RMS to provide external protection for intellectual property

Active Directory Schema ?

A set of rules, the schema, defines the classes of objects and attributes that can be contained in the directory. The fact that Active Directory has user objects that include a user name and password, for example, is because the schema defines the user object class, the two attributes, and the association between the object class and attributes